JeanInMontana

Why are you posting a log? Is he having symptoms of an infection? If you want help identifying what is not needed I can help with that and there is also the free program we have here StartUpLite. He is running a version of Adobe that is unsafe and it should be updated. I missed this before too... O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Hi lurkingatu2, sorry for the delay in a response for you. He has a lot of junk running and this version of HJT doesn't show as much as the TrendMicro one. Is he using Comcast or AOL for ISP? Is it dial-up or broadband connection? Let's get rid of these with HJT O9 - Extra button: (no name) - Software - (no file) O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} - Then have him do the following please. If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy Be sure to immunize also. AVG AntiSpyware Then go here and run a scan PandaActive Scan There is a tutorial on how to do this at the top of this forum. Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures. It would be so much faster and easier if he would join and respond to this thread himself.

Thanks, in the future please do not reply to any posts in this forum unless they are your thread or topic.

It doesn't work that way. In a week we will have to start over. Too many changes will have taken place and I will need to see all new logs. I know it's not your fault, but that is just the way these things work. If a user doesn't respond within 5 days I close the thread because all the information is old. To get the Avast to stop she needs to shut off the service in computer management. Then find the files and reg keys left from the uninstall.

Forgot to say put a check next to this item in HJT and click fix. O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp You should also contact all banks and credit card companies and notify them you may be the victim of identity theft. Have them change passwords and cancel cards ect. Do not login to these accounts while you have this trojan. There is the possibility it can't all be found and removed and the only way to be sure it is gone is by a reformat.

Hi and welcome to Malwarebytes. What "other tools" have you used? If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy AVG AntiSpyware Then go here and run a scan PandaActive Scan Post the logs from the Panda and AVG scans please, along with a log from HiJack This. There is a tutorial on how to scan and save a Panda log at the top of this forum. I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures. To be clear you will post a log from AVG all items removed. A log from Panda all items found removed. A new log from HJT.

That's fine, you should reboot also. I should have said that. Often after the reboot is when the stuff will rear it's ugly head again. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All reccommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. SpywareBlaster from Javacool Software WinPatrol by BillPStudios SiteHound by FireTrust RogueRemover hpHosts For an excellent list of reliable free firewalls and antivirus programs see here. Since this issue is resolved I will close the topic. If you need further assistance PM me and I will reopen the thread. The advice in this topic is for this system only. Applying to another system can result in utter ruination.

Five days no reply I'm closing this topic.

You need to do the Panda scan. Shut down all extra programs and un-needed stuff and let the scan run undisturbed. No surfing etc. It should be some better because SDFix got two trojan files. She didn't clean the tracing cookies though when action is taken it shows in the log. Run Panda and post that log and a new HJT.

Have the popups stopped? Several files were taken out associated with an infection. You have some final steps if we have got rid of the popups. If you are still getting them we need to do more scans.

Your welcome. If you need help again we are here. Since this issue is resolved I will close the topic. The instructions in the topic are for this system only. Applying them to another system can result in complete and utter ruination. Post your own topic for help.

Your log isn't showing any malware. If the 017 line is from your ISP then it is fine too. You do have a very outdated and security risk version of Adobe and you should update it ASAP. I also don't see a stand alone firewall. You need something that monitors traffic leaving your PC. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All reccommended programs are free and easy on system resources. You should install them as part of your protection arsenol. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. SpywareBlaster from Javacool Software WinPatrol by BillPStudios SiteHound by FireTrust RogueRemover hpHosts For an excellent list of reliable free firewalls and antivirus programs see here If your not having any symptoms we can call this issue resolved. Let me know if you feel the machine is all clear.

OK now the culprit is exposed. We can destroy it. Please delete the SmitFraud fix before continuing. Please download Navilog1 by IL-MAFIOSO: http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip * Double click on Navilog1 shortcut icon on your desktop to run it. * Press E for English from the language Menu. * Type 3 in the next Menu and press Enter. * The tool will then advise you that it will restart your computer. * Close all open windows and save personnal documents, if open, too. * If your computer doesn't restart automatically, restart it manually. * Choose your usual session. * Wait for the *** Clean finished the ... *** message (It may take a reasonable amount of time) * A new document will be produced. * Please copy/paste the contents of this report in your next reply. * Your desktop will now appear. Note : In the event you lose your desktop, press CTRL+ALT+Delete and run Explorer.exe as a new task. The report is also saved in the root directory, %SystemDrive%\cleannavi.txt.. (usually C:\cleannavi.txt) You may also want to consider AVG's advice about this item: Potentially unwanted tool:Application/InternetGameBox Not disinfected C:\Documents and Settings\Main\Desktop\Programs\InternetGameBox_setup.exe It could very well be the root of this evil. After the NaviPromo tool runs please post a new HJT log and we will finish the clean up.

Hi and welcome to Malwarebytes. I see you have also posted a log here http://forums.afterdawn.com/thread_view.cfm/551008#3332636 Which forum do you intend to get help from? You can't get help at two forums at the same time. You risk doing system damage and your wasting a volunteers time that can be helping someone else.

Well, I would expect that with a clean reinstall. I thought you meant it doesn't remember the setting at all in the new program version.

Hi Coleberg and welcome to Malwarebytes. Please set your system to show all files; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Print or Copy these instructions to notepad and save to your Desktop as you will be offline with all browsers closed for this fix. Download: Use this URL to download the latest version (the file contains both English and French versions): You may have to right click and choose save as http://siri.urz.free.fr/Fix/SmitfraudFix.exe * Double-click SmitfraudFix.exe * Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Clean: * Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) * Double-click SmitfraudFix.exe * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt * Optional: o To restore Trusted and Restricted site zone, select 3 and hit Enter. o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone. Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Post the log from this before continuing the next portion of the fix, please. If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy AVG AntiSpyware Then go here and run a scan PandaActive Scan Post the logs from the Panda and AVG scans please, along with a log from HiJack This. I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

Hi there and welcome to Malwarebytes. It is impossible to tell what might be the root of your problem with the information you have given. We can do a check to see if it is malware related and go from there. If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy AVG AntiSpyware Then go here and run a scan PandaActive Scan There is a tutorial at the top of this page for how to run and save a Panda scan. Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! Be sure you install the program into a permanent location, I suggest Program Files. I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures if you are infected. To make sure instructions are understood you will post a log from AVG, then you will run the Panda online scan and post that log, then you will run the HJT scan and post that log. Three logs one at a time.

Works fine here.

OK my first post was using the update feature in the version I had. Then I saw I had a link in email so I uninstalled and installed the new one. DB 132 6754 finger prints, Quick Scan in 3:17 12060 objects scanned Full scan 27:42 83804 objects. It found the Antivir update and did ignore just fine. It also worked for file delete, and save bug report, save scan report. Report bug, and f/p open OE all ready to go. I tried to recreate Joe53's error and can't.

Full scan 30:15 ignore list worked flawlessly. Data base updated to 131. 6632 fingerprints. Glad to see a new release. Quick scan 3:12.

They might have fixed them. They do look like they will download from there.

Hello again. AVG Anti Spyware detected a virus? Or AVG Anti Virus? What did she uninstall? Did she already uninstall Avast and that is why it is not in Add/Remove? You need to tell this user that they have an infection that gathers information and takes control of the system. They need to contact all credit card and banks immediately as their identity could have been stolen. I can't guarantee we can get rid of this. The only way is to reformat. If she decides to go ahead these are the beginning instructions. [*]Please set your system to show all files; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Next, download SDFix by AndyManchesta: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe Save it to the Desktop. Right click the SDFix.zip folder Select: Extract All to extract it to its own folder on the Desktop. ~~~~ Now, reboot to Safe Mode : -Restart your computer. -When the machine first starts again, tap the F8 key before Windows starts -You are presented with a Windows XP Advanced Options menu. -Select the option for Safe Mode using the arrow keys. -Press Enter to boot into Safe Mode. ~~~~ In Safe Mode, open the SDFix folder on the Desktop, and double click RunThis.bat to start the script. Type Y to begin the cleanup process. The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot. Press any key to restart the PC. When the PC restarts the SDFix will run again and complete the removal process It then displays Finished Press any key to end the script and load the Desktop icons. Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt. If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy AVG AntiSpyware Then go here and run a scan PandaActive Scan Post the logs from the Panda and AVG scans please, along with a log from HiJack This. I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

Strange, this is what I see. // // This file is the central clearing house for all requests // that come into the blender system. In order for this file // to intercept requests, make sure that your .htaccess file // is correctly configured to point here and to pass along the URL. // You'll also want to have an exception in your .htaccess file // to not redirect files if they live in the /public directory, so // that you can put images and non-blender'd files in there. // // URLs that we process generally look like this: // // http://your.server.com/controllerpart/action/argument1/argument2... // // The controllerpart can contain slashes, such as // backstage/user // // The action part is always a single word -- no slashes. // The args part contains everything after the action. // include "blender.php"; BlenderController::load_controller( "RootController" ); global $blender_start_time; $blender_start_time = microtime( true ); $uri = $_SERVER['REQUEST_URI']; dbg( "-----------\nreqst: '$uri'\nrefer: " . ( isset( $_SERVER['HTTP_REFERER'] ) ? "'" . $_SERVER['HTTP_REFERER'] . "'" : "''" ) . "\nagent: " . ( isset( $_SERVER['HTTP_USER_AGENT'] ) ? "'" . $_SERVER['HTTP_USER_AGENT'] . "'" : "''" ) . "\nconfg: '" . BlenderEnv::$selected_config . "'" ); // // handle a few preliminary tasks // if( isset( BlenderEnv::$maintenance ) && "" != BlenderEnv::$maintenance ) { header( "Refresh: 0;URL=" . BlenderEnv::$maintenance ); exit(); } if( BlenderEnv::$time_limit >= 0 ) { //dbg( "nexus: setting config'd time limit to " . BlenderEnv::$time_limit ); set_time_limit( BlenderEnv::$time_limit ); } if( isset( BlenderEnv::$profiling ) && BlenderEnv::$profiling && function_exists( 'apd_set_pprof_trace' ) ) { apd_set_pprof_trace(); } // // if the URI contains a question mark, remove everything after the question mark // this info exists in the $_GET superglobal. // if( false !== ( $qmark = strpos( $uri, "?" ) ) ) { // // remove the query section from the URL // $uri = substr( $uri, 0, $qmark ); } // // we don't want the URI to start with a "/" // unless there's nothing in the URI but a slash // if( $uri[0] == "/" && isset( $uri[1] ) ) { $uri = substr( $uri, 1 ); } $split = explode( "/", $uri ); // // create the root controller to handle the action // $controller = BlenderController::make( "RootController" ); $controller->invoke( "", $split ); $controller->finished(); // // close the session // flush(); session_write_close(); ?>

Of all those links only HardHeads is live. Sho-Dan's is PHP code for me not even a real site, very strange. All of Tigger's redirect to the sign up form here.